ext_if="sis0"
int_if="tap0" 
wifi_if="wlan0"

wl_net="172.16.0.0/12"
vpn_net="172.17.64.0/28"

publicnat="{80, 443}"
allow_ext_tcp="{22}"
allow_ext_udp="{161}"
allow_int_tcp="{22,53,80,3128,12345}"
allow_int_udp="{53,67,68,131,161,12345}"

private="{ 10.0.0.0/8 , 192.168.0.0/16 }"

# Nat the internet
nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if) 

# Nat local wl access
nat on $int_if from any to $wl_net -> ($int_if)
pass on $ext_if from any to $wl_net keep state

# Block all
block in on $ext_if
pass in on $int_if

# Make sure to block local network access from wl
block out on $ext_if from $wl_net to $private

# Allow wl access from access point (not yet reversed)
pass on $wifi_if from $wl_net to $wl_net

# Allow directives 
pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
pass in on $int_if inet proto tcp from any to $vpn_net port $allow_int_tcp keep state
pass in on $int_if inet proto udp from any to $vpn_net port $allow_int_udp keep state
pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state

# Enable statefull firewalling
pass out on {$ext_if, $int_if} keep state